symfony
diff --git a/‎UPGRADE-5.2.md
Lines changed: 2 additions & 0 deletions b/‎UPGRADE-5.2.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎UPGRADE-6.0.md
Lines changed: 2 additions & 0 deletions b/‎UPGRADE-6.0.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
+11Lines changed: 11 additions & 3 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
+11Lines changed: 11 additions & 3 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/SessionPass.php
Lines changed: 15 additions & 2 deletions b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/SessionPass.php
Lines changed: 15 additions & 2 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
Lines changed: 7 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/KernelBrowser.php
Lines changed: 11 additions & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/KernelBrowser.php
Lines changed: 11 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/session.php
Lines changed: 13 additions & 7 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/session.php
Lines changed: 13 additions & 7 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Session/DeprecatedSessionFactory.php
Lines changed: 38 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Session/DeprecatedSessionFactory.php
Lines changed: 38 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterTokenUsageTrackingPass.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterTokenUsageTrackingPass.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/SessionPass.php
Lines changed: 45 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/SessionPass.php
Lines changed: 45 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
Lines changed: 2 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/HttpFoundation/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/RequestStack.php
Lines changed: 14 additions & 0 deletions b/‎src/Symfony/Component/HttpFoundation/RequestStack.php
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
Lines changed: 4 additions & 1 deletion b/‎src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
Lines changed: 4 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/Security/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
@@ -16,6 +16,7 @@ FrameworkBundle
    used to be added by default to the seed, which is not the case anymore. This allows sharing caches between
    apps or different environments.
  * Deprecated the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
+ * Deprecated the `session` service and the `SessionInterface` alias, use the `Request::getSession()` or the new `RequestStack::getSession()` methods instead.
 
 Form
 ----
@@ -125,3 +126,4 @@ Security
    `AbstractRememberMeServices::$firewallName`, the old property will be removed
    in 6.0.
 
+ * The `$session` constructor argument of `SessionTokenStorage` has been deprecated and replaced by the `$requestStack` one which expects an `RequestStack`.
@@ -59,6 +59,7 @@ FrameworkBundle
  * The `form.factory`, `form.type.file`, `translator`, `security.csrf.token_manager`, `serializer`,
    `cache_clearer`, `filesystem` and `validator` services are now private.
  * Removed the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
+ * Removed the `session` service and the `SessionInterface` alias, use the `Request::getSession()` or the new `RequestStack::getSession()` methods instead.
 
 HttpFoundation
 --------------
@@ -151,6 +152,7 @@ Security
    in `PreAuthenticatedToken`, `RememberMeToken`, `SwitchUserToken`, `UsernamePasswordToken`,
    `DefaultAuthenticationSuccessHandler`.
  * Removed the `AbstractRememberMeServices::$providerKey` property in favor of `AbstractRememberMeServices::$firewallName`
+ * The `$session` constructor argument of `SessionTokenStorage` has been replaced by the `$requestStack` one which expects an `RequestStack`  instead.
 
 TwigBundle
 ----------
 
@@ -15,6 +15,7 @@ CHANGELOG
  * added `assertFormValue()` and `assertNoFormValue()` in `WebTestCase`
  * Added "--as-tree=3" option to `translation:update` command to dump messages as a tree-like structure. The given value defines the level where to switch to inline YAML
  * Deprecated the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
+ * Deprecated the `session` service and the `SessionInterface` alias, use the `Request::getSession()` or the new `RequestStack::getSession()` methods instead.
 
 5.1.0
 -----
 
@@ -92,7 +92,7 @@ public static function getSubscribedServices()
             'request_stack' => '?'.RequestStack::class,
             'http_kernel' => '?'.HttpKernelInterface::class,
             'serializer' => '?'.SerializerInterface::class,
-            'session' => '?'.SessionInterface::class,
+            'session' => '?sessionDeprecatedDoNotUse',
             'security.authorization_checker' => '?'.AuthorizationCheckerInterface::class,
             'twig' => '?'.Environment::class,
             'doctrine' => '?'.ManagerRegistry::class,
@@ -199,11 +199,19 @@ protected function file($file, string $fileName = null, string $disposition = Re
      */
     protected function addFlash(string $type, $message): void
     {
-        if (!$this->container->has('session')) {
+        // BC for symfony/http-foundation < 5.2
+        if (method_exists($requestStack = $this->container->get('request_stack'), 'getSession')) {
+            $session = $requestStack->getSession();
+        } elseif ((null !== $request = $requestStack->getCurrentRequest()) && $request->hasSession()) {
+            $session = $request->getSession();
+        } else {
+            $session = null;
+        }
+        if (null === $session) {
             throw new \LogicException('You can not use the addFlash method if sessions are disabled. Enable them in "config/packages/framework.yaml".');
         }
 
-        $this->container->get('session')->getFlashBag()->add($type, $message);
+        $session->getFlashBag()->add($type, $message);
     }
 
     /**
 
@@ -22,16 +22,29 @@ class SessionPass implements CompilerPassInterface
 {
     public function process(ContainerBuilder $container)
     {
-        if (!$container->hasDefinition('session')) {
+        if (!$container->has('session')) {
             return;
         }
 
+        // BC layer: When user overrides the `session` service it's not an alias anymore.
+        if ($container->hasDefinition('session')) {
+            $definition = $container->getDefinition('session');
+            $definition->setDeprecated('symfony/framework-bundle', '5.2', 'The "%service_id%" service is deprecated, use "$requestStack->getSession()" instead.');
+
+            // Given `session` is not an alias to `.session.do-not-use` anymore,
+            // we make `.session.do-not-use` an alias of `session`.
+            $container->removeDefinition('.session.do-not-use');
+            $container->setAlias('.session.do-not-use', 'session');
+        } else {
+            $definition = $container->getDefinition('.session.do-not-use');
+        }
+
         $bags = [
             'session.flash_bag' => $container->hasDefinition('session.flash_bag') ? $container->getDefinition('session.flash_bag') : null,
             'session.attribute_bag' => $container->hasDefinition('session.attribute_bag') ? $container->getDefinition('session.attribute_bag') : null,
         ];
 
-        foreach ($container->getDefinition('session')->getArguments() as $v) {
+        foreach ($definition->getArguments() as $v) {
             if (!$v instanceof Reference || !isset($bags[$bag = (string) $v]) || !\is_array($factory = $bags[$bag]->getFactory())) {
                 continue;
             }
 
@@ -135,6 +135,7 @@
 use Symfony\Component\Routing\Loader\AnnotationFileLoader;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
 use Symfony\Component\Serializer\Encoder\DecoderInterface;
 use Symfony\Component\Serializer\Encoder\EncoderInterface;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
@@ -1531,6 +1532,12 @@ private function registerSecurityCsrfConfiguration(array $config, ContainerBuild
         // Enable services for CSRF protection (even without forms)
         $loader->load('security_csrf.php');
 
+        // BC for symfony/security-core < 5.2
+        if (!(new \ReflectionClass(SessionTokenStorage::class))->hasMethod('getSession')) {
+            $container->getDefinition('security.csrf.token_storage')
+                ->setArgument(0, new Reference('session'));
+        }
+
         if (!class_exists(CsrfExtension::class)) {
             $container->removeDefinition('twig.extension.security_csrf');
         }
 
@@ -122,7 +122,17 @@ public function loginUser($user, string $firewallContext = 'main'): self
 
         $token = new TestBrowserToken($user->getRoles(), $user);
         $token->setAuthenticated(true);
-        $session = $this->getContainer()->get('session');
+        // BC for symfony/http-foundation < 5.2
+        if (method_exists($requestStack = $this->getContainer()->get('request_stack'), 'getSession')) {
+            $session = $requestStack->getSession();
+        } elseif ((null !== $request = $requestStack->getCurrentRequest()) && $request->hasSession()) {
+            $session = $request->getSession();
+        } else {
+            $session = null;
+        }
+        if (null === $session) {
+            throw new \LogicException('Unable to find a session.');
+        }
         $session->set('_security_'.$firewallContext, serialize($token));
         $session->save();
 
 
@@ -27,7 +27,7 @@
         ->alias(TokenGeneratorInterface::class, 'security.csrf.token_generator')
 
         ->set('security.csrf.token_storage', SessionTokenStorage::class)
-            ->args([service('session')])
+            ->args([service('request_stack')])
 
         ->alias(TokenStorageInterface::class, 'security.csrf.token_storage')
 
 
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
+use Symfony\Bundle\FrameworkBundle\Session\DeprecatedSessionFactory;
 use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBag;
 use Symfony\Component\HttpFoundation\Session\Flash\FlashBag;
 use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface;
@@ -33,15 +34,20 @@
     $container->parameters()->set('session.metadata.storage_key', '_sf2_meta');
 
     $container->services()
-        ->set('session', Session::class)
-            ->public()
+        ->set('.session.do-not-use', Session::class) // to be removed in 6.0
             ->args([
                 service('session.storage'),
                 null, // AttributeBagInterface
                 null, // FlashBagInterface
                 [service('session_listener'), 'onSessionUsage'],
             ])
-        ->alias(SessionInterface::class, 'session')
+        ->set('sessionDeprecatedDoNotUse', SessionInterface::class) // to be removed in 6.0
+            ->factory([inline_service(DeprecatedSessionFactory::class)->args([service('request_stack')]), 'getSession'])
+        ->alias('session', '.session.do-not-use')
+            ->public()
+            ->deprecate('symfony/framework-bundle', '5.2', 'The "%alias_id%" alias is deprecated, use "$requestStack->getSession()" instead.')
+        ->alias(SessionInterface::class, '.session.do-not-use')
+            ->deprecate('symfony/framework-bundle', '5.2', 'The "%alias_id%" alias is deprecated, use "$requestStack->getSession()" instead.')
         ->alias(SessionStorageInterface::class, 'session.storage')
         ->alias(\SessionHandlerInterface::class, 'session.handler')
 
@@ -65,12 +71,12 @@
             ])
 
         ->set('session.flash_bag', FlashBag::class)
-            ->factory([service('session'), 'getFlashBag'])
+            ->factory([service('.session.do-not-use'), 'getFlashBag'])
             ->deprecate('symfony/framework-bundle', '5.1', 'The "%service_id%" service is deprecated, use "$session->getFlashBag()" instead.')
         ->alias(FlashBagInterface::class, 'session.flash_bag')
 
         ->set('session.attribute_bag', AttributeBag::class)
-            ->factory([service('session'), 'getBag'])
+            ->factory([service('.session.do-not-use'), 'getBag'])
             ->args(['attributes'])
             ->deprecate('symfony/framework-bundle', '5.1', 'The "%service_id%" service is deprecated, use "$session->getAttributeBag()" instead.')
 
@@ -94,8 +100,8 @@
         ->set('session_listener', SessionListener::class)
             ->args([
                 service_locator([
-                    'session' => service('session')->ignoreOnInvalid(),
-                    'initialized_session' => service('session')->ignoreOnUninitialized(),
+                    'session' => service('.session.do-not-use')->ignoreOnInvalid(),
+                    'initialized_session' => service('.session.do-not-use')->ignoreOnUninitialized(),
                     'logger' => service('logger')->ignoreOnInvalid(),
                     'session_collector' => service('data_collector.request.session_collector')->ignoreOnInvalid(),
                 ]),
 
@@ -0,0 +1,38 @@
+<?php
+
+namespace Symfony\Bundle\FrameworkBundle\Session;
+
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+
+/**
+ * Provides session and trigger deprecation.
+ * Used by service that should trigger deprecation when accessed by user
+ *
+ * @author Jérémy Derussé <jeremy@derusse.com>
+ * @internal to be removed in 6.0
+ */
+class DeprecatedSessionFactory
+{
+    private $requestStack;
+
+    public function __construct(RequestStack $requestStack)
+    {
+        $this->requestStack = $requestStack;
+    }
+
+    public function getSession(): ?SessionInterface
+    {
+        trigger_deprecation('symfony/framework-bundle', '5.1', 'The "session" service is deprecated, use "$requestStack->getSession()" instead.');
+
+        // BC for symfony/http-foundation < 5.2
+        if (method_exists($this->requestStack, 'getSession')) {
+            return $this->requestStack->getSession();
+        }
+        if ((null !== $request = $this->requestStack->getCurrentRequest()) && $request->hasSession()) {
+            return $request->getSession();
+        }
+
+        return null;
+    }
+}
@@ -41,7 +41,7 @@ public function process(ContainerBuilder $container)
             TokenStorageInterface::class => new BoundArgument(new Reference('security.untracked_token_storage'), false),
         ]);
 
-        if (!$container->has('session')) {
+        if (!$container->has('session.storage')) {
             $container->setAlias('security.token_storage', 'security.untracked_token_storage')->setPublic(true);
             $container->getDefinition('security.untracked_token_storage')->addTag('kernel.reset', ['method' => 'reset']);
         } elseif ($container->hasDefinition('security.context_listener')) {
 
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+
+/**
+ * Replace deprecated `session` service in "security.token_storage"
+ * when UsageTrackingTokenStorage is able to fetch Session from RequestStack.
+ *
+ * @author jérémy Derussé <jeremy@derusse.com>
+ *
+ * @internal to be removed in 6.0
+ */
+class SessionPass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container)
+    {
+        if (!$container->hasDefinition('security.token_storage')) {
+            return;
+        }
+
+        $definition = $container->getDefinition('security.token_storage');
+        if ((new \ReflectionClass($definition->getClass()))->hasMethod('getSession')) {
+            return;
+        }
+
+        $locator = $definition->getArgument(1);
+        $values = $locator->getValues();
+        unset($values['request_stack']);
+        $values['session'] = new Reference('session');
+        $locator->setValues($values);
+    }
+}
@@ -74,7 +74,7 @@
             ->args([
                 service('security.untracked_token_storage'),
                 service_locator([
-                    'session' => service('session'),
+                    'request_stack' => service('request_stack'),
                 ]),
             ])
             ->tag('kernel.reset', ['method' => 'disableUsageTracking'])
 
@@ -18,6 +18,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterGlobalSecurityEventListenersPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterLdapLocatorPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterTokenUsageTrackingPass;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\SessionPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\SortFirewallListenersPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AnonymousFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\CustomAuthenticatorFactory;
@@ -81,6 +82,7 @@ public function build(ContainerBuilder $container)
         $container->addCompilerPass(new RegisterGlobalSecurityEventListenersPass(), PassConfig::TYPE_BEFORE_REMOVING, -200);
         // execute after ResolveChildDefinitionsPass optimization pass, to ensure class names are set
         $container->addCompilerPass(new SortFirewallListenersPass(), PassConfig::TYPE_BEFORE_REMOVING);
+        $container->addCompilerPass(new SessionPass());
 
         $container->addCompilerPass(new AddEventAliasesPass(array_merge(
             AuthenticationEvents::ALIASES,
 
@@ -10,6 +10,7 @@ CHANGELOG
  * added ability to use comma separated ip addresses for `RequestMatcher::matchIps()`
  * added `Request::toArray()` to parse a JSON request body to an array
  * added `RateLimiter\RequestRateLimiterInterface` and `RateLimiter\AbstractRequestRateLimiter`
+ * added `RequestStack::getSession` method.
 
 5.1.0
 -----
 
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\HttpFoundation;
 
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+
 /**
  * Request stack that controls the lifecycle of requests.
  *
@@ -100,4 +102,16 @@ public function getParentRequest()
 
         return $this->requests[$pos];
     }
+
+    /**
+     * Gets the current session.
+     */
+    public function getSession(): ?SessionInterface
+    {
+        if (null === $request = end($this->requests) ?: null) {
+            return null;
+        }
+
+        return $request->hasSession() ? $request->getSession() : null;
+    }
 }
@@ -61,7 +61,10 @@ public function onKernelRequest(RequestEvent $event)
         if ($request->hasSession()) {
             // no-op
         } elseif (method_exists($request, 'setSessionFactory')) {
-            $request->setSessionFactory(function () { return $this->getSession(); });
+            $sess = null;
+            $request->setSessionFactory(function () use (&$sess) {
+                return $sess ?? $sess = $this->getSession();
+            });
         } elseif ($session = $this->getSession()) {
             $request->setSession($session);
         }
 
@@ -14,6 +14,7 @@ CHANGELOG
  * Added a CurrentUser attribute to force the UserValueResolver to resolve an argument to the current user.
  * Added `LoginThrottlingListener`.
  * Added `LoginLinkAuthenticator`.
+ * Deprecated passing a `SessionInterface` to `SessionTokenStorage`, inject a `RequestStack` instead.
 
 5.1.0
 -----